In most of the automated machine control systems - either hardwired, PLC based , or computerized, there is one big RED push button on the control panel, labelled "EMERGENCY STOP" This button when pushed deactivates all electronic controls and brings the machine to halt at whatever state it is.

A similar master stop button in the hand of the driver may be the solution for all kind exigencies arising out of hardware/software malfunction and avoid many a accidents because of the systems failures which require emergency manual intervention.

For the much touted "self-driven" car designers this is a lesson to learn.

I am in no way trying to defend buggy software or buggy hardware, I'm just asking how far does one have to go, and will it ever be far enough?

A fair question, but you don't want to go with the logical fallacy of "If it isn't 100% then it is useless." Examples of this type of thinking:

A seat belt won't protect you from all accidents, so you might as well not wear one at all.

A car lock won't protect your car from all theives, so you shouldn't even bother locking the car. In fact, make it more convenient for yourself by leaving the keys in the ignition.

Is a seat belt good enough if people are still dying in car crashes? Do you see the fallacy of this type of thinking?

We'll never get 100% safe, but I'll defintely go for 'safer'. And we can have standards and tests for what is considered safe design practices that lead to what is safe enough.

We understand SEUs and their effect pretty well. To support military projects, many logical synthesis tools can automatically implement logic that isn't vulnerable to single bit flips. People here have given examples of how code can be designed to handle unexpected jumps or variable flips, and these kinds of effects can be predicted and tested.

You can never get 100% error free, but implementing certain design styles and testing can definitely improve safety. I'll go with that, over nothing at all.

True, Caleb, "mere humans" can be taken by surpise and perform all sorts of erroneous responses.

But in this specific case, where we're talking about the throttle, it's not clear what was involved. For example, it does not appear difficult to compare the throttle command to the fuel intake with the accelarator pedal position, as a reasonableness check. Is it that such a check was not done, or that for some reason, it failed? Or was it associated with a cruise control malfunction?

"If unintended acceleration occurs, certaily in a 2005 car, put the car in neutral and shut off the engine!"

One thing you need to be aware of - in most modern automobiles with an automatic transmission, shifting gears is really more of a "suggestion" than a command.

Said another way, there is a CPU in between the gear selector switches that are being opened and closed, and the transmission. If the very CPU which is causing UA is responsible for monitoring those "gear shift suggestions"... oh dear! So much for shifting into neutral.

I drive a manual transmission because it's fun, but I'm starting to see the value in the ability to physically disconnect the transmission from the engine.

I don't think we'll see the mechanical connection from pedal to brakes go away any time soon, but I wonder how far away we are from "Steer by Wire"

P.S. Same thing goes for many of the "push button start" vehicles - there is no key to rip out of the steering column. Press and hold the ON/OFF switch for a few seconds while hurtling down the road at 130MPH like Rhonda Smith? (Just find her 10 minute testimony on YouTube and tell me she's not credible!)

Speaking of standards, though, the expert group did find that Toyota failed to comply"OSEK," an international standard API specifically designed for use in automotive software. Toyota's Ex-OSEK850 version was not certified as OSEK compliant, according to Barr.

"Memory corruption as little as one bit flip can cause a task to die. This can happen by hardware single-event upsets -- i.e., bit flip -- or via one of the many software bugs, such as buffer overflows and race conditions, we identified in the code."

So he mentions hardware SEU, but also software bugs like buffer overflows & race conditions, which makes me wonder the following:

Consider a hypothetical safety-critical system that many might consider very well-engineered. Suppose that the software in this system is so well done & well-tested that there are no buffer overflows, no race conditions, no possibility of software-induced memory corruption whatsoever. In this hypothetical near-perfect system, the only way for memory to get corrupted is by SEU, and then only if the SEU goes uncorrected or the fail-safe systems fail to guard against it.

Suppose further that the engineers carefully considered SEU, and included fairly powerful ECC to guard against it's ill effects. Perhaps they even considered how much higher the SEU rate might be in a high-altitude city during peak solar flare activity. Is that enough? As I mentioned above, we're still dealing with probabilities that can never be zero.

I am in no way trying to defend buggy software or buggy hardware, I'm just asking how far does one have to go, and will it ever be far enough?

Larry: I had already posted the above before I saw your reply.

"If you look at modern automotive control systems they are beginning to introduce redundant voting controls. This is an effective way of effectively eliminating this type of error, be it from hardware or software."

Redundanct voting controls, dual CPUs running the same code in lock step, and so on. But the key statement you made is that these are a way of "effectively eliminating this type of error" and I am asking how effective must "effectively" be, in quantitative terms?

yeah, throwing it in neutral sounds like the ultimate solution. however, in that instant of completely unexpected acceleration, much damage can be done before even the most vigilant person can respond.

I've worked around control software for nuclear devices, which obviously operate by a different set of rules than just about any other. One interesting safeguard is testing within the body of critical functions to ensure that the function was entered at the top, rather than as a random jump into the body of the code (potentially the kind of error that could result from cosmic rays). One of the guys on our team was former military, and he told us that they had running bets whether the missiles would actually fire, given a valid control sequence. None of them believed that it would fire by accident.

If you look at modern automotive control systems they are beginning to introduce redundant voting controls. This is an effective way of effectively eliminating this type of error, be it from hardware or software.

Datasheets.com Parts Search

185 million searchable parts
(please enter a part number or hit search to begin)

My Mom the Radio StarMax MaxfieldPost a commentI've said it before and I'll say it again -- it's a funny old world when you come to think about it. Last Friday lunchtime, for example, I received an email from Tim Levell, the editor for ...

A Book For All ReasonsBernard Cole1 CommentRobert Oshana's recent book "Software Engineering for Embedded Systems (Newnes/Elsevier)," written and edited with Mark Kraeling, is a 'book for all reasons.' At almost 1,200 pages, it ...